Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorized keys file for administrators has moved #3

Closed
crowding opened this issue Sep 24, 2019 · 2 comments · Fixed by #7
Closed

Authorized keys file for administrators has moved #3

crowding opened this issue Sep 24, 2019 · 2 comments · Fixed by #7

Comments

@crowding
Copy link

crowding commented Sep 24, 2019
edited
Loading

I had trouble getting public key authentication to work with this role and a clean install of Win10. I found that a recent change to Win32OpenSSH has changed the location of the authorized_keys file for users in group Administrators. Users in Administrators group now look for keys in __PROGRAMDATA__\ssh\administrators_authorized_keys instead of in their home directory.

Refs:
PowerShell/Win32-OpenSSH#1324
https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config#authorizedkeysfile

For now, I've worked around the issue in my playbook by doing the following, so maybe these steps could be folded back into the role:

- hosts: windows
  - name: Is this an admin account?
    win_user:
      name: "{{ ansible_user_id }}"
      state: query
    register: userData
  - name: Authorize admin targets to SSH to Windows admin-account targets
    win_lineinfile:
      path: "{{ ansible_env.ProgramData }}\\ssh\\administrators_authorized_keys"
      line: "{{ hostvars[item]['ssh_results']['ssh_public_key'] }}"
      create: yes
    with_items: "{{ groups['admin'] }}"
    when: "'Administrators' in (userData.groups | map(attribute='name') | list)"
  - name: disable ACL inheritence on ssh admin authkeys
    win_acl_inheritance:
      path: "{{ ansible_env.ProgramData }}\\ssh\\administrators_authorized_keys"
      reorganize: False
      state: absent
  - name: set correct permissions on admin ssh authkeys
    win_acl:
      path: "{{ ansible_env.ProgramData }}\\ssh\\administrators_authorized_keys"
      user: '{{ item }}'
      rights: FullControl
      type: allow
      state: present
      inherit: ContainerInherit, ObjectInherit
      propagation: None
    with_items:
    - System
    - Administrators
@jborean93 jborean93 mentioned this issue Dec 17, 2019
Merged
@jborean93
Copy link
Owner

Sorry it took so long for me to get to it, I've added the ability to control this option with #7. It also keys this working with non-English locales if you are running that and want a shared location.

@teridon
Copy link

teridon commented Feb 3, 2021

I think when setting "opt_openssh_shared_admin_key: True", the "opt_openssh_pubkeys" should be installed in the shared location.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Shell adminkey jborean93/ansible-role-win_openssh
3 participants
@crowding @teridon @jborean93